Click here to load reader
Upload
javier-luis-rosello
View
119
Download
0
Tags:
Embed Size (px)
Citation preview
12.6 SSH Configuration12.6.1 Introduction to SSH
When routers are connected by remote users across insecure networks, secure shell (SSH) can provide them authentication and security fencing off IP spoofing, plain-text password interception and other attacks. Your router can work as an SSH server or/and an SSH client. As an SSH server, it may accept connections from multiple SSH clients; as an SSH client, it can establish SSH connections with the routers and UNIX hosts working as SSH servers. Currently, SSH 2.0 is supported. Figure 12-9 and Figure 12-10 illustrate two methods for establishing an SSH channel between a client and a server: Connect through a LAN Connect through a WAN
Figure 12-9 Establish an SSH channel in a LAN
Figure 12-10 Establish an SSH channel through a WAN
To establish an SSH connection, the server and the client must go through the following five phases:1) Version number negotiation
The client starts a TCP connection to the server. After the TCP connection is established, the server and the client negotiate a
version number. If the negotiation succeeds, the key algorithm negotiation phase starts;
otherwise, the server tears down the TCP connection.2) Key algorithm negotiation The server generates an RSA key pair and an 8-byte random number, and
sends the portion of the public key and the random number to the client. Both the server and the client use the public key of the server and the 8-byte
number as parameters to calculate a 16-byte session ID with the same algorithm.
The client uses the public key from the server and a random number generated locally as parameters to calculate a session key.
Using the public key from the server, the client encrypts the random number generated locally for session key calculation and sends the result to the server.
Using the local private key, the server decrypts the data sent by the client and obtains the random number generated by the client.
Using the local public key and the random number sent by the client as parameters, the server calculates the session key with the same algorithm used by the client.
Thus, the server and the client obtain the same session key. During the session, both ends use the same session key to perform encryption and decryption, thereby guaranteeing the security of data transfer.3) Authentication mode negotiation The client sends its username information to the server. The server initiates a process to authenticate the user. If the user needs no
authentication, the server proceeds to session request phase directly. The client adopts an authentication mode to authenticate the server till the
authentication succeeds or the server tears down the connection because of timeout.
Note:
SSH provides two authentication modes: password and RSA.1) Password authentication procedure
The client sends the username and password to the server. The server compares the received username and password with the local
configuration. If it finds an exact match, the authentication succeeds.2) RSA authentication procedure
The server configures the RSA public key of the client. The client sends its RSA public key member modulo to the server. The server verifies the member modulo. If the member modulo is valid, the
server generates a random number, encrypts it using the RSA public key from the client, and sends the encrypted information back to the client.
The server and the client use the random number and the session ID as parameters to calculate authentication data.
The client sends the authentication data it generated to the server. The server compares the received authentication data with that locally
calculated. If they match, the authentication succeeds. 4) Session request: If the authentication succeeds, the client sends a session
request to the server. When the server has successfully processed the request, SSH enters the interactive session phase.
5) Interactive session: The client and the server exchange data till the session is over.
Caution:If the router works as a SSH server, the client using SecureCRT and configured “Enable OpenSSH agent forwarding” cannot log onto the SSH server.
12.6.2 SSH Configuration
SSH configuration includes:
I. Configuring the SSH server
Set the protocols supported on the current user interface Create a local RSA key pair Configure authentication mode for SSH user Create SSH users Set an interval for updating the server key (optional) Set the timeout time of SSH authentication (optional) Set maximum number of SSH authentication retries Enter public key view Enter public key edit view Exit public key edit view Assign public key for SSH user Configure a service type for an SSH user Set SSH version compatibility (optional)
II. Configuring the SSH client
Enable the SSH client Configure public key to server associations Configure SSH server first-time authentication
12.6.3 Configuring the SSH Server
I. Setting the protocols supported on user interface
This configuration is used to specify the protocols supported by the system in user interface view. By default, the system supports Telnet and SSH. If SSH is enabled but the local RSA key is not configured, the user cannot login through SSH. The configuration will take effect in next login.Perform the following operation in User interface view of VTY type.
Table 12-16 Set the protocols supported by system in user interface
Operation Command
Set the protocols supported by system in user interface protocol inbound { all | ssh | pad | }
Caution:If the protocol supported by the user interface is set to SSH, you must set the authentication mode to authentication-mode scheme to ensure a successful login; if you use authentication-mode password or authentication-mode none, the configuration of the protocol inbound ssh command fails. Likewise, an SSH-enabled user interface does not allow the configuration of authentication-mode password or authentication-mode none.
II. Creating/destroying a local RSA key pair
This configuration is used to generate the local server and host key pair. If there has been RSA now, the system will ask whether to replace the former key. The naming modes of generated key pairs go as follows respectively: router name +server and router name +host. The server key differs in 128 digits at least from host key. The minimum length of server and host key is 512 bits and the maximum length is 2048 bits.By default, the key length is 1024 digits.Perform the following operation in system view.
Table 12-17 Configure and destroy a local RSA key pair
Operation Command
Create a local RSA key pair rsa local-key-pair create
Destroy a local RSA key pair rsa local-key-pair destroy
Caution:The primary operation to accomplish SSH login is to configure and generate local RSA key pair. Before performing other SSH configurations, you must accomplish the configuration of the rsa local-key-pair create command to generate local key pair. It is unnecessary to execute this command again after the router restarts up.If the router works as a SSH2.0 server, the key pair you use the rsa local-key-pair create command to generate must be at least 768 bits; otherwise, the SSH2.0 client cannot log on successfully. For the RSA authentication to a SSH2.0 client, the key pair generated by the SSH2.0 client must be at least 768 bits as well.
III. Configuring an authentication mode for SSH users
This configuration is used to specify an authentication mode for SSH users. The newly configured authentication mode takes effect at next login.Perform the following configuration in system view.
Table 12-18 Configure authentication mode for SSH user
Operation Command
Specify an authentication mode for an SSH user
ssh user username authentication-type { password | rsa | all }
Restore the default, where login is always denied
undo ssh user username authentication-type
Specify a default authentication mode for SSH users
ssh authentication-type default { password | rsa | all | password-publickey }
Delete the specified default authentication mode for SSH users undo ssh authentication-type default
The authentication mode specified using the ssh user username authentication-type command is only for an SSH user while the one specified using the ssh authentication-type default command is the default authentication mode for all SSH users. For an SSH user, the authentication mode configured using the ssh user username authentication-type command is always preferred to the one configured using the ssh authentication-type default command.
Note:If password authentication is adopted, the user name specified in the ssh user authentication-type command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA.
IV. Creating SSH users
All SSH users need authentication. Before creating an SSH user with the ssh user command, you must specify a default authentication mode with the ssh authentication-type default command. Perform the following configuration in system view.
Table 12-19 Create an SSH user
Operation Command
Create an SSH user ssh user username
Delete an SSH user undo ssh user username
Note:If password authentication is adopted, the user name specified in the ssh user command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA.If the default authentication mode for SSH users is password and local AAA authentication is adopted, you are not necessarily use the ssh user command to create an SSH user. Instead, you can use the local-user command to create a user name and its password and then specify the service type for the user to SSH.
V. Setting an interval for updating the server key
To ensure security of the connections to the SSH server, update its key regularly. Perform the following configuration in system view.
Table 12-20 Set an interval for updating the SSH server key
Operation Command
Set an interval for updating the SSH server key ssh server rekey-interval hours
Restore the default update interval undo ssh server rekey-interval
By default, the server key is not updated.
VI. Setting the timeout time of SSH authentication
This configuration is used to set the time-out time of SSH authentication.Perform the following configuration in system view.
Table 12-21 Set the timeout time of SSH authentication
Operation Command
Set the timeout time of SSH authentication ssh server timeout seconds
Operation Command
Restore the default time-out time of SSH authentication undo ssh server timeout
By default, the time-out time is 60 seconds.
VII. Setting maximum number of SSH authentication retries
To prevent malicious behaviors such as malicious guess, limit the number of SSH authentication retries.Perform the following configuration in system view.
Table 12-22 Set maximum number of SSH authentication retries
Operation Command
Set maximum number of SSH authentication retries
ssh server authentication-retries times
Restore default maximum number of SSH authentication retries
undo ssh server authentication-retries
Maximum number of SSH authentication retries defaults to 3. For password-public authentication, maximum number of SSH authentication retries must be greater than two, one of which is for sending the public key. Otherwise, the SSH client cannot log into the SSH server.
VIII. Configuring client public key
Two ways of configuring client public keys are available. 1) Manual configurationEnter public key view with the rsa peer-public-key command. With public-key-code begin and public-key-code end commands, you can input or copy client public key manually.
Table 12-23 Configuring a client public key manually
Operation Command
At the SSH 1.0/2/0 client, generate a random RSA key pair ––
Convert the public key part to PKCS code with software called SSHKEY.EXE ––
Configure the client public key on the router
Enter public key view (in system view) rsa peer-public-key key-name
Enter public key edit view to copy the public key converted by SSHKEY.EXE (in public key view)
public-key-code begin
Exit to public key view, with the public key being saved automatically (in public key edit view)
public-key-code end
Operation Command
Exit to system view (in public key view) peer-public-key end
The client public key is a hexadecimal character string generated through PKCS coding of SSHKEY.EXE software. The following shows configuration details.[Router] rsa peer-public-key quidway002 [Router-rsa-public-key] public-key-code begin[Router-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463[Router-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913[Router-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4[Router-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC[Router-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16[Router-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125[Router-rsa-key-code] public-key-code end[Router-rsa-public-key] peer-public-key end2) With the rsa peer-public-key key-name import sshkey filename command
Table 12-24 Configure a client public key with the rsa peer-public-key key-name import sshkey filename command
Operation Command
At the SSH 1.5/2.0 client, generate a random RSA key pair and save the key file ––
Configure the client public key on the router
Send the public key file to the Flash on the router through FTP/TFTP
Refer to section 5.2 “System Management Overview” and section 5.3 “System Management Overview”.
Perform public key format conversion and configuration
rsa peer-public-key key-name import sshkey filename
This way is more convenient and recommended.
Note:The filename argument must take the name of the public key file saved on the Flash.
IX. Assigning an SSH user a public key
Perform the following configuration in system view to assign a public key to an SSH user.
Table 12-25 Assign an SSH user a public key
Operation Command
Assign a public key to an SSH user ssh user username assign rsa-key keyname
Remove the association of a public key to an SSH user
undo ssh user username assign rsa-key
X. Configuring a service type for an SSH user
Perform the following configuration in system view to configure a service type for an SSH user.
Table 12-26 Configure a service type for an SSH user
Operation Command
Configure a service type for an SSH user
ssh user username service-type { stelnet | sftp | all }
Restore the default service type for an SSH user undo ssh user username service-type
The default service type for an SSH user is stelnet.
XI. Setting SSH version compatibility
Perform the following configuration in system view to enable/disable the SSH server to work with SSH1.X clients.
Table 12-27 Enable/disable the SSH server to work with SSH1.X clients
Operation Command
Enable the SSH server to work with SSH1.X clients ssh server compatible_ssh1x enable
Disable the SSH server to work with SSH1.X clients undo ssh server compatible_ssh1x
By default, the SSH server works with SSH1.X clients.
XII. Specifying a source interface/IP address for the SSH server
Perform the following configuration in system view.
Table 12-28 Specify a source interface or source IP address for the SSH server
Operation Command
Specify a source interface for the SSH server
ssh-server source-interfaceinterface-type interface-number
Delete the source interface specified for the SSH server undo ssh-server source-interface
Specify a source IP address for the packets sent by the SSH server ssh-server source-ip ip-address
Delete the source IP address for the packets sent by the SSH server undo ssh-server source-ip
By default, the source IP address in each packet sent by the SSH server is the IP address of the interface where the packet is sent out.
Note:You may specify a source IP address for the packets sent by the Telnet server with the ssh-server source-interface command or with the ssh-server source-ip command. If both commands are configured, the one configured later overrides the previous one.
12.6.4 Configuring the SSH Client
I. Enabling the SSH client
When enabling the SSH client to SSH to the server, you need to specify the preferred key exchange algorithm, encryption algorithm and HMAC algorithm between the client and the server.Perform the following configuration in system view.
Table 12-29 Enable the SSH client
Operation Command
Enable the SSH client
ssh2 { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des | aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]
II. Configuring public key to server associations
You need to associate an SSH server with the name assigned to its public key. When connecting to this server, the client verifies its trustworthiness based on this association.Perform the following configuration in system view.
Table 12-30 Associate an SSH server with a public key
Operation Command
Associate an SSH server with its public key
ssh client server assign rsa-key keyname
Remove an SSH server to public key association
undo ssh client server assign rsa-key keyname
III. Configuring SSH server first-time authentication
The configuration of first-time authentication decides the action taken by the SSH client when it accesses a server in the absence of the server’s public key: With first-time authentication enabled, the SSH client can attempt to access
the server and get the server’s public key through negotiation. Then this public key could be saved on the client for next access.
With first-time authentication disabled, the SSH client rejects to access a server. To access the server, you must save its public key on the SSH client beforehand.
Perform the following configuration in system view.
Table 12-31 Configure first-time authentication
Operation Command
Enable SSH server first-time authentication ssh client first-time enable
Disable SSH server first-time authentication undo ssh client first-time
By default, first-time authentication is enabled on the SSH client.
IV. Specifying a source interface/IP address for the SSH client
Perform the following configuration in system view.
Table 12-32 Specify a source interface or source IP address for the SSH client
Operation Command
Specify a source interface for the SSH client server
ssh2 source-interface interface-typeinterface-number
Delete the source interface specified for the SSH client undo ssh2 source-interface
Specify a source IP address for the packets sent by the SSH client ssh2 source-ip ip-address
Delete the source IP address for the packets sent by the SSH client undo ssh2 source-ip
By default, the source IP address in each packet sent by the SSH client is the IP address of the interface where the packet is sent out.
Note:You may specify a source IP address for the packets sent by the Telnet server with the ssh2 source-interface command or with the ssh2 source-ip command. If both commands are configured, the one configured later overrides the previous one.
12.6.5 Displaying and Debugging
After the above configuration, execute display command in any view to display the running of the SSH configuration, and to verify the configuration.The task of displaying and debugging SSH is used to view the configuration of various SSH users to utilize the system resource better and accomplish the secure information connection.
Table 12-33 View relevant information about SSH
Operation Command
View the pubic key of host and server key pair display rsa local-key-pair public
Display the RSA public key of client display rsa peer-public-key [ brief | name keyname ]
Display SSH status information and session information display ssh server { status | session }
Operation Command
Display SSH user information display ssh user-information [ username ]
Display the current source IP address setting of the SSH server display ssh-server source-ip
Display the current source IP address setting of the SSH client display ssh2 source-ip
Executing the debugging command in user view.
Table 12-34 Debug information on SSH
Operation Command
Enable SSH sever debugging debugging ssh server { vty index | all }
Disable SSH server debugging undo debugging ssh server { vty index | all }
Enable SSH client debugging debugging ssh client
Disable SSH client debugging undo debugging ssh client
Enable RSA debugging debugging rsa
Disable RSA debugging undo debugging rsa
12.6.6 SSH Configuration Example
I. Network requirements
As shown in Figure 12-11, the console terminal (the SSH client) is directly connected to the router through an Ethernet interface. Run SSH2.0 client software on the terminal for securely logging onto the router for configuration and management. The username of the SSH client is [email protected] and the password is huawei.
II. Network diagram
Figure 12-11 Network diagram for SSH server configuration
III. Configuration procedure
1) Configure the SSH server (the router)Configuration procedure varies with login authentication mode. However, all procedures must start with creating local RSA key pairs using the following command:[Router] rsa local-key-pair create
Note:If local key pairs exist, skip this step.
Set the authentication method for the SSH user to password.[Router] user-interface vty 0 4[Router-ui-vty0-4] authentication-mode scheme[Router-ui-vty0-4] protocol inbound ssh[Router-ui-vty0-4] quit[Router] local-user client001[Router-luser-client001] password simple huawei[Router-luser-client001] service-type ssh[Router-luser-client001] quit[Router] ssh user client001 authentication-type password[Router] domain 169.254.0.1[Router-isp-169.254.0.1] scheme local[Router-isp-169.254.0.1] quit
The default value for authentication time-out time, retry times and update time of server key of SSH can be adopted. After these configurations, you can run SSH2.0 on a terminal connected to the router. Then, you can access the router with username client001 and password huawei. Set the authentication method for SSH user to RSA.[Router] user-interface vty 0 4[Router-ui-vty0-4] authentication-mode scheme[Router-ui-vty0-4] protocol inbound ssh[Router-ui-vty0-4] quit[Router] ssh user client002 authentication-type RSA
Then, use the SSH2.0 client software to randomly generate the RSA key pairs (including public and private keys) and synchronize the public key to the specified rsa peer-public-key on the SSH server. The RSA public key discussed here is a hexadecimal string coded using the software SSHKEY.EXE provided by our company according to the PKCS standard.[Router] rsa peer-public-key quidway002 [Router-rsa-public] public-key-code begin[Router-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463[Router-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913[Router-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4[Router-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC[Router-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16[Router-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125[Router-key-code] public-key-code end[Router-rsa-public] public-key-code end[Router] ssh user client002 assign rsa-key quidway0022) Configure the SSH client When password authentication applies, you need to configure at the client the
IP address of a reachable interface on the SSH server or the router, 169.254.0.1 in this example, set the protocol type to SSH, use SSH version 2. After opening the SSH connection, enter the user name and password to access the router configuration interface.
login as: client001Sent username "client001"[email protected]'s password: *************************************************************************** Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. ***************************************************************************
<Router>
When RSA authentication applies, you must specify an RSA private key file, which is generated randomly by the client software in addition to the configuration tasks done with password authentication. After opening the SSH connection, enter the user name to access the router configuration interface.
login as: client002Sent username "client002"Trying public key authentication.No passphrase required. *************************************************************************** Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. ***************************************************************************
<Router>
Caution:To set up an SSH connection, make sure that the user name provided at login must be the same as the one configured on the router with the ssh user username command.
12.6.7 SSH Client Configuration Example
I. Network requirements
Router B is working as the SSH client with user name client003. Router A is working as the SSH server with IP address 10.165.87.136.
II. Network diagram
Figure 12-12 Network diagram for SSH client configuration
III. Configuration procedure
1) Configure the SSH server (Router A)Refer to the configuration procedure in section 12.6.6 “SSH Configuration Example”.2) Configure the SSH client (Router B)
# Enable SSH server first-time authentication. [Router] ssh client first-time enable
# Enable the SSH client. The configuration varies depending on the adopted authentication mode. When password authentication and the default algorithms are adopted, do the
following:[Router] ssh2 10.165.87.136Please input the username: client003Trying 10.165.87.136Press CTRL+K to abortConnected to 10.165.87.136...The Server is not authenticated.Do you continue access it?(Y/N):yDo you want to save the server's public key?(Y/N):yEnter password: *************************************************************************** Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. ***************************************************************************
<Router> When RSA authentication is adopted, do the following:[Router] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_stoc_cipher 3des perfer_ctos_hmac md5 perfer_stoc_hmac md5Please input the username: client003Trying 10.165.87.136...Press CTRL+K to abortConnected to 10.165.87.136...The Server is not authenticated.Do you continue access it?(Y/N):yDo you want to save the server's public key?(Y/N):y*************************************************************************** Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. *************************************************************************** <Router>